Fail2ban for Proxmox 3.1

emanuelebruno

Renowned Member
May 1, 2012
143
6
83
Catania
emanuelebruno.it
Taking a look to this link http://pve.proxmox.com/wiki/Fail2ban seems that it lacks of updates for the newest Proxmox 3.1, so I have decide to write down the following guide (it is a traslation and adaptation to this guide http://wiki.csnu.org/index.php?title=Proxmox3#Prot.C3.A9ger_l.27interface_web_avec_fail2ban ) :

Protecting the web interface with fail2ban

Code:
aptitude install fail2ban

Add the following string to the end of this file /etc/fail2ban/jail.local :

Code:
[proxmox3]
enabled = true
port = https,http,8006
filter = proxmox3
logpath = /var/log/daemon.log
maxretry = 3
bantime = 3600 # 1 hour

Create the file /etc/fail2ban/filter.d/proxmox3.conf :

Code:
[Definition]
failregex = pvedaemon\[.*authentication failure; rhost=<HOST> user=.* msg=.*
ignoreregex =

You can test your configuration with the command :

Code:
fail2ban-regex /var/log/daemon.log /etc/fail2ban/filter.d/proxmox3.conf

Restart fail2ban:

Code:
/etc/init.d/fail2ban restart

PS Can you update your wiki?
 
I was just looking around at Fail2ban for Proxmox. Thanks a lot for your contribution.

You should be able to create/request an account on the wiki and update it yourself.
 
Hi there, you forgot about to copy jail.conf to jail.local before edit the file.

For users without experience with fail to ban, its not easy to understand.

Nice wiki update =)
 
YEAH... this is oks.

Now we have updated docs to install fail2ban on proxmox servers without need to open a lot of posts and pages =)

Thank you for it m.ardito!
 
Would these instructions be compatible with Proxmox 4 and the firewall it uses? And does one have to turn the node firewall on in the GUI or is this independent?
 
As Debian is switching to systemd, I would recommend starting/enabling the service as follows:

# systemctl start fail2ban
# systemctl enable fail2ban



And while we're at it, change proxmox3 to proxmox4 for the sake of being nitpicky.

/etc/fail2ban/jail.local

[proxmox4]
enabled = true
port = https,http,8006
filter = proxmox4
logpath = /var/log/daemon.log
maxretry = 3
bantime = 3600


/etc/fail2ban/filter.d/proxmox4.conf

[Definition]
failregex = pvedaemon\[.*authentication failure; rhost=<HOST> user=.* msg=.*
ignoreregex =
 
The only thing I would add is that I had to reboot my node (not sure why) in order for this to take affect. After I did that it started working. I scratched my head for 30 minutes fiddling about with the config files (the regex checked out when I ran the command to check for matches and the fail2ban.log file showed that the service was running... hence I was a bit frustrated) I did note that iptables wasn't showing and banned ip's... Speaking of which, if you want to see banned IP's in your IPtables, this works well:

iptables -L fail2ban-proxmox

or perhaps (depending on your file naming scheme for fail2ban config file):

iptables -L fail2ban-proxmox3

iptables -L fail2ban-proxmox4

One other note, I am running firewalls across the board. Datacenter, Node, and VM/Container on Proxmox 4.1. This DOES WORK with all of that enabled, it just took a reboot for it to start working for me.

Anyhow, thank you for the excellent contribution!
 
And while we're at it, change proxmox3 to proxmox4 for the sake of being nitpicky.
If the two are otherwise compatible why include the version number at all? ;-)
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!